METHODS AND SYSTEMS TO PROVIDE PLATFORM EXTENSIONS FOR TRUSTED VIRTUAL MACHINES

US 20110061050A1
Filed: 09/04/2009
Published: 03/10/2011
Est. Priority Date: 09/04/2009
Status: Abandoned Application

First Claim

Patent Images

1. A method, comprising:

hosting a virtual machine (VM) on a computing platform, wherein the computing platform includes resources that are access protected with respect to processes hosted under control of a VM manager;

authenticating the VM at least in part with hardware based authentication logic;

determining a subset of the resources that the authenticated VM is permitted to access;

recording the authentication and the permitted access in a portion of memory that is access protected with respect to the processes hosted under control of the VM manger;

receiving a request from the VM to access a requested resource of the computing platform;

verifying, from the protected portion of memory, that the VM is authenticated and permitted to access the requested resource; and

providing the VM with access to the requested resource in accordance with the verifying;

wherein the authenticating, the determining, the recording, the receiving, the verifying, and the providing are performed independent of the VM manager.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems to authenticate a privileged virtual machine (VM), such as a monitoring VM, at a computing platform. Once authenticated, the privileged VM may access privileged resources, including data from the computing platform, via a VM manager or via defined instructions. Such data may include state information of other VMs. The state information may include performance counters of the other VMs. Such instructions may include ones that are not available to non-privileged VMs.

Citations

20 Claims

1. A method, comprising:
- hosting a virtual machine (VM) on a computing platform, wherein the computing platform includes resources that are access protected with respect to processes hosted under control of a VM manager;
  
  authenticating the VM at least in part with hardware based authentication logic;
  
  determining a subset of the resources that the authenticated VM is permitted to access;
  
  recording the authentication and the permitted access in a portion of memory that is access protected with respect to the processes hosted under control of the VM manger;
  
  receiving a request from the VM to access a requested resource of the computing platform;
  
  verifying, from the protected portion of memory, that the VM is authenticated and permitted to access the requested resource; and
  
  providing the VM with access to the requested resource in accordance with the verifying;
  
  wherein the authenticating, the determining, the recording, the receiving, the verifying, and the providing are performed independent of the VM manager.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the hosting includes hosting another process on the computing platform outside of the VM and under control of the VM manager, and wherein the requested resource includes information related to the other process, the method further including:
    - counting accesses to another resource of the computing platform initiated by the other process, under control of the VM manager; and
      
      storing a count of the accesses in the access protected portion of memory;
      
      wherein the providing of the VM with access to the requested resource includes providing the count from the protected portion of memory to the VM; and
      
      wherein the counting and the storing are performed under control of the VM manager.
  - 3. The method of claim 2, wherein the VM corresponds to a first VM and the other process includes a second VM, wherein the storing includes:
    - storing the count in the protected portion of memory in response to an exit of the second VM.
  - 4. The method of claim 3, further including:
    - hosting a cloud computing environment from within the second VM; and
      
      providing computing usage statistics associated with the second VM from within the first VM.
  - 5. The method of claim 2, wherein the storing includes:
    - trapping a change to a control register associated with a control interrupt from within the VM manager; and
      
      storing the count in the protected portion of memory in response to the trap and under control of firmware.
  - 6. The method of claim 5, wherein the other process corresponds to a cloud computing environment, the method further including:
    - providing computing usage statistics associated with at least a portion of the process from within the VM.
  - 7. The method of claim 1, wherein the recording includes:
    - recording the authenticating and the permitted access in a virtual machine control structure within the access protected portion of memory.

8. A computer program product including a computer readable medium having computer program logic stored therein, the computer program logic including:
- logic to cause a processor to host a virtual machine (VM) within a computing platform,wherein the computing platform includes resources that are access protected with respect to processes hosted under control of VM management logic, wherein the hosting logic includes,authentication logic to cause the processor to authenticate the VM in conjunction with hardware based authentication logic,logic to cause the processor to determine a subset of the resources that the authenticated VM is permitted to access,record logic to cause the processor to record the authentication and the permitted access within a portion of memory that is access protected with respect to the processes hosted under control of the VM management logic,logic to cause the processor to receive a request from the VM to access a requested resource,verify logic to cause the processor to verify, from the access protected portion of memory, that the VM is authenticated and permitted to access the requested resource, andaccess logic to cause the processor to provide the VM with access to the requested resource in accordance with results of the verify logic.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer program product of claim 8, wherein the computer program logic further includes:
    - logic to cause the processor to host another process on the computing platform;
      
      logic to cause the processor to count accesses to another resource of the computing platform initiated by the other process; and
      
      store logic to cause the processor to store the count in the access protected portion of memory;
      
      wherein the access logic includes logic to cause the processor to provide the count from the protected portion of memory to the VM.
  - 10. The computer program product of claim 8, wherein the VM corresponds to a first VM and the other process is associated with a second VM, and wherein the store logic includes:
    - logic to cause the processor to store the count in the protected portion of memory in response to an exit of the second VM.
  - 11. The computer program product of claim 10, wherein the computer program logic further includes:
    - logic to cause the processor to host a cloud computing environment from within the second VM; and
      
      logic to cause the processor to provide computing usage statistics associated with the second VM from within the first VM.
  - 12. The computer program product of claim 9, wherein the store logic includes:
    - logic to cause the processor to trap a change to a control register associated with a control interrupt;
      
      wherein the count is stored in the protected portion of memory under control of firmware in response to the trap.
  - 13. The computer program product of claim 12, wherein the other process corresponds to a cloud computing environment, the computer program product further including:
    - logic to cause the processor to provide computing usage statistics associated with at least a portion of the other process from within the VM.
  - 14. The computer program product of claim 8, wherein the record logic includes:
    - logic to cause the processor to record the authentication and the permitted access in a virtual machine control structure within the access protected portion of memory.

15. A system, comprising:
- a computing platform including a processor and hardware-based authentication logic; and
  
  memory in communication with the processor to store instructions to control the processor to,host a virtual machine (VM) on the computing platform, wherein the computing platform includes resources that are access protected with respect to processes hosted under control of a VM manager,authenticate the VM under control of the hardware based authentication logic,determine a subset of the resources that the authenticated VM is permitted to access,record the authentication and the permitted access in a portion of memory that is access protected with respect to the processes hosted under control of the VM manger,receive a request from the VM to access a requested resource,verify, from the protected portion of memory, that the VM is authenticated and permitted to access the requested resource, andprovide the VM with access to the requested resource in accordance with the verification.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the memory further includes instructions to cause the processor to:
    - host another process on the computing platform;
      
      count accesses to another resource of the computing platform initiated by the other process; and
      
      store a count of the accesses in the protected portion of memory; and
      
      provide the count from the protected portion of memory to the VM.
  - 17. The system of claim 16, wherein the VM corresponds to a first VM and the other process is associated with a second VM, and wherein the memory further includes instructions to cause the processor to:
    - store the count in the protected portion of memory in response to an exit of the second VM.
  - 18. The system of claim 17, wherein the memory further includes instructions to cause the processor to:
    - host a cloud computing environment from within the second VM; and
      
      provide computing usage statistics associated with the second VM from within the first VM.
  - 19. The system of claim 15, wherein the memory further includes instructions to cause the processor to:
    - host another process on the computing platform; and
      
      trap a change to a control register associated with a control interrupt,wherein the computing platform includes firmware to store the count in the protected portion of memory in response to the trap.
  - 20. The system of claim 15, wherein the memory further includes instructions to cause the processor to:
    - record the authentication and the permitted access in a virtual machine control structure within the access protected portion of memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Raghunath, Arun, Sahita, Ravi L.

Application Number

US12/554,376
Publication Number

US 20110061050A1
Time in Patent Office

Days
Field of Search
US Class Current

718/1
CPC Class Codes

G06F 11/3466   Performance evaluation by t...

G06F 21/57   Certifying or maintaining t...

G06F 21/6218   to a system of files or obj...

G06F 2201/815   Virtual

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06F 9/45533   Hypervisors; Virtual machin...

H04L 63/0853   using an additional device,...

H04L 63/0876   based on the identity of th...

H04L 63/105   Multiple levels of security

H04L 67/08   specially adapted for termi...

METHODS AND SYSTEMS TO PROVIDE PLATFORM EXTENSIONS FOR TRUSTED VIRTUAL MACHINES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND SYSTEMS TO PROVIDE PLATFORM EXTENSIONS FOR TRUSTED VIRTUAL MACHINES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links